Hector Martin

RFC 3986 s 7.5 contnd: "A password appearing within the userinfo component is deprecated and should be considered an error (or simply ignored) except in those rare cases where the 'password' parameter is intended to be public."

So as per the RFCs, if you put a password in a URL, it's because you intend it to be public. So curl's behavior is fine. (Curl has command line arguments for specifying non-public usernames and passwords.)

I'm sorry, when did we go from "logged in your browser history" to "public"? Your argument is bullshit. You're saying that just because a particular thing has some (known) security caveats it's fine to gratuitously introduce more undiscoverable ones to bite people in the ass.

Sorry, but ultimately it comes down to this: curl is following the RFCs, and you are not.

Sometimes the RFCs are bullshit. If people followed the RFCs to the letter anyone could DoS any server, because they require vulnerable implementations of things like TCP. This is one of those times.

There is a huge gap between "I'm deliberately putting a password in URIs so I can paste them in a command line in the privacy of my home" to "hey browser please attach my password invisibly to every file I download so I can unknowingly hand it to someone in a USB stick"

That's why I think RFC1738 was better than the later revisions. Username and password in HTTP URLs should simply not be allowed, because it's such a source of security risks.

But they *are* allowed, and *while* they're allowed, gratuitously putting them into xattrs is utterly stupid. Actually putting URLs into xattrs at all by default is utterly stupid, because URLs often contain other kinds of credentials, plus it's just leaking personal info.